Ransomware Pays: FBI Updates Reveton Malware Warning

Latest malware, trying to trick users into paying a fine, claims the FBI is using audio, video, and other devices to record computer's "illegal" activity.

Who Is Hacking U.S. Banks? 8 Facts

(click image for larger view and for slideshow)

Can people pay a fine online, avoid the threat of prosecution by the FBI, and unlock their locked PC all in one go?

That's the offer made by a "Threat of Prosecution Reminder" that's been flashing on numerous PC screens, which says that the FBI has locked the PC after finding evidence that the computer has been used to access child pornography or other illegal content. The latest version of this notice says that "all activity on this computer is being recorded using audio, video, and other devices." But users are offered a way to pay the related fine being levied, immediately unlock their PC, and see the whole matter immediately dismissed.

The warning, however, is just a setup. "This is not a legitimate communication from the IC3, but rather is an attempt to extort money from the victim," according to an advisory released last week by the Internet Crime Complaint Center (IC3), which is a joint effort between the FBI and the National White Collar Crime Center. "If you have received this or something similar do not follow payment instruction."

The extortion part of the scam -- now also featured on the FBI's list of e-scams -- is facilitated by a malicious application known as Reveton, which according to antivirus vendor F-Secure "fraudulently claims to be from a legitimate law enforcement authority and prevents users from accessing their infected machine, demanding that a 'fine' must be paid to restore normal access." Machines are typically infected with Reveton via malicious websites -- using drive-by download attacks launched by Citadel crimeware -- rather than being introduced via phishing attacks or malicious email attachments.

"To unlock the computer, the user is instructed to pay a fine using prepaid money card services," according to the IC3. "The geographic location of the user's PC determines what payment services are offered. In addition to the ransomware, the Citadel malware continues to operate on the compromised computer and can be used to commit online banking and credit card fraud."

Don't pay the bogus fine, but do seek help when removing Reveton. "Manual disinfection is a risky process; it is recommended only for advanced users," says F-Secure. If a PC has been infected, also don't rely on any antivirus software that's already been installed, as "some variants of [Reveton] may make lasting changes to your computer that make it difficult for you to download, install, run, or update your virus protection," states a Microsoft malware advisory.

Numerous Reveton-driven ransomware campaigns have been seen this year, localized not just for residents of the United States but also for Finland, Ireland, Germany, and other parts of Europe. The FBI previously released an alert about the Reveton malware in August, with IC3 manager Donna Gregory saying, "We're getting inundated with complaints," and noting that fine payments of $200 didn't seem to be uncommon.

Given the FBI's new warning, PC users obviously haven't been getting the message about the scam. The latest version of Reveton also contains a variation on the previous social-engineering attack. "In addition to instilling a fear of prosecution, this version of the malware also claims that the user's computer activity is being recorded using audio, video, and other devices," according to the IC3.

Unfortunately, any PC infected with Reveton faces further problems, as the malware is delivered by the Citadel malware toolkit, which does in fact include the ability to record whatever users are doing on their PC screen, typically for the purposes of committing "online banking and credit card fraud," according to the IC3.

Why do criminals bother with ransomware? Simply put, because such attacks seem to pay. Symantec security researchers Gavin O'Gorman and Geoff McDonald recently studied 68,000 PCs that had been compromised by ransomware in the space of a month, and found that attackers' haul could have been $400,000. One recent 18-day Reveton attack, meanwhile, had attempted to infect 500,000 PCs. "Given the number of different gangs operating ransomware scams, a conservative estimate is that over $5 million a year is being extorted from victims," wrote the researchers in a related report. "The real number is, however, likely much higher."

Faster networks are coming, but security and monitoring systems aren't necessarily keeping up. Also in the new, all-digital Data Security At Full Speed special issue of InformationWeek: A look at what lawmakers around the world are doing to add to companies' security worries. (Free registration required.)

Keeping up on list of IT scams I am sure would help you in a situation like this. Sounds like nasty malware tough, allowing its self to monitor audio and video, and even pull your browser passwords and such. It did not really go int o detail abut how to get rid of it, is there a easier way or should I say free way or do I have to pay a fee somewhere to have it removed, ironic huh?

Published: 2015-03-03Off-by-one error in the ecryptfs_decode_from_filename function in fs/ecryptfs/crypto.c in the eCryptfs subsystem in the Linux kernel before 3.18.2 allows local users to cause a denial of service (buffer overflow and system crash) or possibly gain privileges via a crafted filename.

Published: 2015-03-03** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: This candidate was withdrawn by its CNA. Further investigation showed that it was not a security issue in customer-controlled software. Notes: none.

How can security professionals better engage with their peers, both in person and online? In this Dark Reading Radio show, we will talk to leaders at some of the security industry’s professional organizations about how security pros can get more involved – with their colleagues in the same industry, with their peers in other industries, and with the IT security community as a whole.